From: George Thessalonikefs Date: Fri, 17 Apr 2020 09:27:39 +0000 (+0200) Subject: Revert "- Remove SNI support from unbound-anchor; TLS is used only for" X-Git-Tag: release-1.11.0~58^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1db2ab678d1b731185a9d74276c35ac741b2c63f;p=thirdparty%2Funbound.git Revert "- Remove SNI support from unbound-anchor; TLS is used only for" This reverts commit 9d197eb11061c2a7d805c9de5f411b425a030f05. Server-side software may use SNI to pick the correct virtual host. --- diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c index b8bd1b850..b8aa10fe2 100644 --- a/smallapp/unbound-anchor.c +++ b/smallapp/unbound-anchor.c @@ -187,6 +187,7 @@ usage(void) printf("-c file cert file, default %s\n", ROOT_CERT_FILE); printf("-l list builtin key and cert on stdout\n"); printf("-u name server in https url, default %s\n", URLNAME); + printf("-S use SNI for the https connection\n"); printf("-x path pathname to xml in url, default %s\n", XMLNAME); printf("-s path pathname to p7s in url, default %s\n", P7SNAME); printf("-n name signer's subject emailAddress, default %s\n", P7SIGNER); @@ -772,7 +773,7 @@ setup_sslctx(void) /** initiate TLS on a connection */ static SSL* -TLS_initiate(SSL_CTX* sslctx, int fd) +TLS_initiate(SSL_CTX* sslctx, int fd, const char* urlname, int use_sni) { X509* x; int r; @@ -788,6 +789,9 @@ TLS_initiate(SSL_CTX* sslctx, int fd) SSL_free(ssl); return NULL; } + if(use_sni) { + (void)SSL_set_tlsext_host_name(ssl, urlname); + } while(1) { ERR_clear_error(); if( (r=SSL_do_handshake(ssl)) == 1) @@ -1123,7 +1127,7 @@ read_http_result(SSL* ssl) /** https to an IP addr, return BIO with pathname or NULL */ static BIO* https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname, - struct ip_list* src) + struct ip_list* src, int use_sni) { int fd; SSL* ssl; @@ -1137,7 +1141,7 @@ https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname, SSL_CTX_free(sslctx); return NULL; } - ssl = TLS_initiate(sslctx, fd); + ssl = TLS_initiate(sslctx, fd, urlname, use_sni); if(!ssl) { SSL_CTX_free(sslctx); fd_close(fd); @@ -1161,11 +1165,12 @@ https_to_ip(struct ip_list* ip, const char* pathname, const char* urlname, * @param pathname: pathname of file on server to GET. * @param urlname: name to pass as the virtual host for this request. * @param src: if nonNULL, source address to bind to. + * @param use_sni: if SNI will be used. * @return a memory BIO with the file in it. */ static BIO* https(struct ip_list* ip_list, const char* pathname, const char* urlname, - struct ip_list* src) + struct ip_list* src, int use_sni) { struct ip_list* ip; BIO* bio = NULL; @@ -1173,7 +1178,7 @@ https(struct ip_list* ip_list, const char* pathname, const char* urlname, wipe_ip_usage(ip_list); while( (ip = pick_random_ip(ip_list)) ) { ip->used = 1; - bio = https_to_ip(ip, pathname, urlname, src); + bio = https_to_ip(ip, pathname, urlname, src, use_sni); if(bio) break; } if(!bio) { @@ -1929,7 +1934,7 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file, const char* urlname, const char* xmlname, const char* p7sname, const char* p7signer, const char* res_conf, const char* root_hints, const char* debugconf, const char* srcaddr, int ip4only, int ip6only, - int port) + int port, int use_sni) { STACK_OF(X509)* cert; @@ -1963,8 +1968,8 @@ do_certupdate(const char* root_anchor_file, const char* root_cert_file, #endif /* fetch the necessary files over HTTPS */ - xml = https(ip_list, xmlname, urlname, src); - p7s = https(ip_list, p7sname, urlname, src); + xml = https(ip_list, xmlname, urlname, src, use_sni); + p7s = https(ip_list, p7sname, urlname, src, use_sni); /* verify and update the root anchor */ verify_and_update_anchor(root_anchor_file, xml, p7s, cert, p7signer); @@ -2235,7 +2240,7 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file, const char* urlname, const char* xmlname, const char* p7sname, const char* p7signer, const char* res_conf, const char* root_hints, const char* debugconf, const char* srcaddr, int ip4only, int ip6only, - int force, int res_conf_fallback, int port) + int force, int res_conf_fallback, int port, int use_sni) { struct ub_result* dnskey; int used_builtin = 0; @@ -2278,7 +2283,7 @@ do_root_update_work(const char* root_anchor_file, const char* root_cert_file, probe_date_allows_certupdate(root_anchor_file)) || force) { if(do_certupdate(root_anchor_file, root_cert_file, urlname, xmlname, p7sname, p7signer, res_conf, root_hints, - debugconf, srcaddr, ip4only, ip6only, port)) + debugconf, srcaddr, ip4only, ip6only, port, use_sni)) return 1; return used_builtin; } @@ -2307,8 +2312,9 @@ int main(int argc, char* argv[]) const char* srcaddr = NULL; int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT; int res_conf_fallback = 0; + int use_sni = 0; /* parse the options */ - while( (c=getopt(argc, argv, "46C:FRP:a:b:c:f:hln:r:s:u:vx:")) != -1) { + while( (c=getopt(argc, argv, "46C:FRSP:a:b:c:f:hln:r:s:u:vx:")) != -1) { switch(c) { case 'l': dolist = 1; @@ -2331,6 +2337,9 @@ int main(int argc, char* argv[]) case 'u': urlname = optarg; break; + case 'S': + use_sni = 1; + break; case 'x': xmlname = optarg; break; @@ -2397,5 +2406,5 @@ int main(int argc, char* argv[]) return do_root_update_work(root_anchor_file, root_cert_file, urlname, xmlname, p7sname, p7signer, res_conf, root_hints, debugconf, - srcaddr, ip4only, ip6only, force, res_conf_fallback, port); + srcaddr, ip4only, ip6only, force, res_conf_fallback, port, use_sni); }